Package: release.debian.org Severity: normal User: release.debian.org@packages.debian.org Usertags: unblock Please unblock package ruby-kramdown [ Reason ] Fixes a CVE and RC bug #985569 [ Tests ] all autopkgtests of reverse dependencies passed. [ Risks ] The change should not cause regressions on non-malicious code. [ Checklist ] [x] all changes are documented in the d/changelog [x] I reviewed all changes and I approve them [x] attach debdiff against the package in testing unblock ruby-kramdown/2.3.0-5
commit b80244870c477d90090305f569eea39f7bd2b3f5
Author: Antonio Terceiro <terceiro@debian.org>
Date: Sat Apr 3 10:40:54 2021 -0300
Add upstream patch to fix arbitrary code execution vulnerability
This is CVE-2021-28834
Closes: #985569
diff --git a/debian/changelog b/debian/changelog
index 088c244..012d553 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,11 @@
+ruby-kramdown (2.3.0-5) unstable; urgency=medium
+
+ * Team upload.
+ * Add upstream patch to fix arbitrary code execution vulnerability
+ [CVE-2021-28834] (Closes: #985569)
+
+ -- Antonio Terceiro <terceiro@debian.org> Sat, 03 Apr 2021 10:39:28 -0300
+
ruby-kramdown (2.3.0-4) unstable; urgency=medium
* Recommend ruby-rouge, for out-of-the-box syntax highlighting
diff --git a/debian/patches/0002-Restrict-Rouge-formatters-to-Rouge-Formatters-namesp.patch b/debian/patches/0002-Restrict-Rouge-formatters-to-Rouge-Formatters-namesp.patch
new file mode 100644
index 0000000..68457a6
--- /dev/null
+++ b/debian/patches/0002-Restrict-Rouge-formatters-to-Rouge-Formatters-namesp.patch
@@ -0,0 +1,69 @@
+From: Stan Hu <stanhu@gmail.com>
+Date: Sun, 14 Mar 2021 11:21:00 -0700
+Subject: Restrict Rouge formatters to Rouge::Formatters namespace
+
+ff0218a added support for specifying custom Rouge formatters with the
+constraint that the formatter be in theRouge::Formatters namespace, but
+it did not actually enforce this constraint. For example, this is valid:
+
+```ruby
+Rouge::Formatters.const_get('CSV')
+=> CSV
+```
+
+Adding the `false` parameter to `const_get` prevents this:
+
+```ruby
+Rouge::Formatters.const_get('CSV', false)
+NameError: uninitialized constant Rouge::Formatters::CSV
+```
+---
+ lib/kramdown/converter/syntax_highlighter/rouge.rb | 2 +-
+ test/test_files.rb | 18 +++++++++++-------
+ 2 files changed, 12 insertions(+), 8 deletions(-)
+
+diff --git a/lib/kramdown/converter/syntax_highlighter/rouge.rb b/lib/kramdown/converter/syntax_highlighter/rouge.rb
+index c799526..ed6a4f8 100644
+--- a/lib/kramdown/converter/syntax_highlighter/rouge.rb
++++ b/lib/kramdown/converter/syntax_highlighter/rouge.rb
+@@ -70,7 +70,7 @@ module Kramdown::Converter::SyntaxHighlighter
+ when Class
+ formatter
+ when /\A[[:upper:]][[:alnum:]_]*\z/
+- ::Rouge::Formatters.const_get(formatter)
++ ::Rouge::Formatters.const_get(formatter, false)
+ else
+ # Available in Rouge 2.0 or later
+ ::Rouge::Formatters::HTMLLegacy
+diff --git a/test/test_files.rb b/test/test_files.rb
+index 82ff6b0..3517e55 100644
+--- a/test/test_files.rb
++++ b/test/test_files.rb
+@@ -21,16 +21,20 @@ begin
+ end
+
+ # custom formatter for tests
+- class RougeHTMLFormatters < Kramdown::Converter::SyntaxHighlighter::Rouge.formatter_class
++ module Rouge
++ module Formatters
++ class RougeHTMLFormatters < Kramdown::Converter::SyntaxHighlighter::Rouge.formatter_class
+
+- tag 'rouge_html_formatters'
++ tag 'rouge_html_formatters'
+
+- def stream(tokens, &b)
+- yield %(<div class="custom-class">)
+- super
+- yield %(</div>)
+- end
++ def stream(tokens, &b)
++ yield %(<div class="custom-class">)
++ super
++ yield %(</div>)
++ end
+
++ end
++ end
+ end
+ rescue LoadError, SyntaxError, NameError
+ end
diff --git a/debian/patches/series b/debian/patches/series
index 7d4b5b1..f8d5d26 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1 +1,2 @@
fix_manpage_warnings.patch
+0002-Restrict-Rouge-formatters-to-Rouge-Formatters-namesp.patch
Attachment:
signature.asc
Description: PGP signature